Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Tips for Efficient TrueCrypt/VeraCrypt Decryption
#1
Quote:VeraCrypt and the former TrueCrypt are two of the most challenging types of encryption to bypass with regard to their popularity as full disk encryption software.

Unlike Bitlocker encryption, TrueCrypt/VeraCrypt may encrypt their containers and volumes with multiple encryption keys (cascade encryption) applying the encryption types one by one. TrueCrypt and VeraCrypt do not store the information about the cascade, and once the encrypted volume is to be mounted, they search for the right cascade. Passware Kit extracts possible encryption keys from a memory image or a system hibernation file (hiberfil.sys) and searches for the right cascade type, just as TrueCrypt/VeraCrypt does. Then Passware Kit decrypts the given container.

If the memory image is not available (it should be acquired when the target container or volume is mounted), only brute-force recovery of the original password is possible. The password recovery speed significantly depends on the number of encryption and hash algorithms that need to be checked, as well as the Personal Iterations Multiplier (PIM).

This article summarizes all the peculiarities of TrueCrypt/VeraCrypt encryption to help you understand how to make the decryption process more efficient.

TrueCrypt or VeraCrypt?
The main obstacle with TrueCrypt/VeraCrypt decryption is that password recovery for such containers does not have any effect if a user does not specify whether it is TrueCrypt or VeraCrypt. So, if you have a container to decrypt, the first task for you is to specify its application and encryption type, or at least to screen out irrelevant types using indirect indications.

For system partitions, Passware Kit analyzes the boot loader and recognizes whether the disk is TrueCrypt or VeraCrypt. Passware Kit also detects the system partitions of the GUID Partition Table (GPT) disks encrypted with VeraCrypt and further decrypts them. Since TrueCrypt does not support GPT, we can know for sure that this disk is VeraCrypt. Passware Kit Forensic detects it as VeraCrypt and starts an appropriate password recovery process.

For non-system partitions, it is impossible to tell which application was used. We recommend analyzing indirect indications, such as the target system registry and drivers, to deduce the disk type.

The registry key is either
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TrueCrypt
or
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VeraCrypt,
which indicates the application installed and assumes that it was used to create the target volume.

Encryption Hashes and Сascades
The TrueCrypt/VeraCrypt Random Number Generator uses a user-selected hash algorithm as a pseudorandom “mixing” function. When creating a new volume, the Random Number Generator generates the master key, secondary key, and the salt.

By default, Passware Kit checks for all possible encryption types. However, if a user knows the exact encryption and hash algorithm, he or she can specify them in the Passware Kit settings:

[Image: 14OwLQK.jpg]

Continue reading HERE
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)